Closed yocarbo closed 5 years ago
so this is an exploit about using auth with unchecked user supplied credentials. The other issue is likewise around crypto that is not active or used in my application. Given that my use of request is an unauthenticated file transfer of text data, I would characterize my exposure surface to these issues as nonexistent. If this is the product of an institutional security autoscanner and we're just checking boxes in the name of security absolution, the right thing to do is submit a Pull Request with the change.
I had other changes to publish, so I made this change as well. Thanks for the report.
Thanks for update ;)
Hello,
✗ Medium severity vuln found in tunnel-agent@0.4.3, introduced via ascii-art@1.4.4 Description: Uninitialized Memory Exposure Info: https://snyk.io/vuln/npm:tunnel-agent:20170305 From: ascii-art@1.4.4 > request@2.79.0 > tunnel-agent@0.4.3
✗ Medium severity vuln found in cryptiles@2.0.5, introduced via ascii-art@1.4.4 Description: Insecure Randomness Info: https://snyk.io/vuln/npm:cryptiles:20180710 From: ascii-art@1.4.4 > request@2.79.0 > hawk@3.1.3 > cryptiles@2.0.5
Regards,